♻️ migrate postgresql to truenas jail + minio https

ansible/ansible.cfg

@@ -18,6 +18,7 @@ fact_caching_connection     = ~/.ansible/facts_cache
 remote_port                 = 22
 timeout                     = 60
 host_key_checking           = False
+privatekeyfile              = ~/.ssh/id_ed25519
 # Plugin settings
 vars_plugins_enabled        = host_group_vars,community.sops.sops
 

ansible/inventory/group_vars/all/all.sops.yml

@@ -1,5 +1,9 @@
 kind: Secret
 secret_domain: ENC[AES256_GCM,data:SjdnR9pDjveodvo=,iv:GKvdD7c3bmaQN+CAYoKwAy78em9vYljGyl6VfGmJk9E=,tag:hz92J7d1NokEeyB6vxr3Uw==,type:str]
+public_ssh_keys:
+    - ENC[AES256_GCM,data:/J9ejzvJHV5wdz9Dj0jUmAaVtIkgVpEoIRJocNGhszY2bmu5mruwWSz6E+XkcAGE0zQMo/9N8imIZoXfq0UQSyfCCitrA09x1z0Hf0s3iSA=,iv:jzA3bIQw+pL4tjNASNMwMcdHW+vSxgVo4Czo/ja0AO8=,tag:iTEDjARfH96oXATQu8VR8Q==,type:str]
+    - ENC[AES256_GCM,data:c105qLvE6iHoBQl4X0qEFDPXOsiA+YGUVK4gl7O0pqHZ6IIs3m1Z28PKl84GuaPL1pV7I55KccQdAnqjQw0XSZ/lWI+IC2BXj3dJ6paLZNU=,iv:lQod/AwDquA22zJLmvpiuQvaPXo1JFSOV+9yybVjMZc=,tag:Z2eArvfrP8YN3irG45wMRw==,type:str]
+    - ENC[AES256_GCM,data:pMYg+hNpYCl5fwvNbz0bjm0KaEuIGMeBXXblTGpbur17Nxulnn5DQ5H3k8Wash1F9BJeBfQOTGXDx1XEfp2CDlymuLHdjP6xU7+daD0/JbA=,iv:49Mh9zGN5AJgTXGb8lF38jyme46nd7RqKil3PI13ww8=,tag:2c6jSEZImNEWvM3Asc2jhw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -15,8 +19,8 @@ sops:
             c3JkOFZzYnpINjQ5QnNkaE9IYUdXL3MKsBelDv/z5nTYC6/1Zm8kmzqEoLBVPnhy
             v0v/6n1GksmzslbNdKhy+xtxHYrqouhc2P4hNi0R8p8u76RXERN5fg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-11-11T15:03:36Z"
+    lastmodified: "2024-01-13T09:43:41Z"
-    mac: ENC[AES256_GCM,data:PYjJ/WxF8UXZPnccFdjtwsS+W2N1TQmNFtTIHazFLFiSxC4b6li7TcOEpQL2HClWeXwJXkUnWGUfH9YLEPVxlAqBygaDBdghPN0uTrKaV4ZaiAQ1EhtKfGDkIGvb+aDpbRuNH77nXzDv4ws3ObSdTCsHp2LOepi4NVSuEw6MlOY=,iv:Bk+VTEsAyeRQkf9wbcBpANeXvIvGn6JzOuHRM0ilF/s=,tag:6MT3xUDX/o3e1zu8WrGm/A==,type:str]
+    mac: ENC[AES256_GCM,data:R7gzINLxiaqSh4JgP9jhMTG1GaM5WnUA24Uv5OMVB3cHIjgE65o3ybjbmPGpAejpfQ+lKSKKXxeWRpissn9h6DVr1RLi5jnXlngMt5REDiNSsxRI7j3aktTvd2wJQUcGObrhngp+lhFPsufZuOg7hFdvcgCP3SM7sDwrxBaOjgk=,iv:XqaEQtFhBkm1qV7khzhftE2Sxy5xUH/I4/CBqKW9R+w=,tag:FRbncSBOFqVrFTEXmZf+uw==,type:str]
     pgp: []
     unencrypted_regex: ^(kind)$
     version: 3.8.1

ansible/inventory/host_vars/minio.sops.yaml

@@ -1,23 +0,0 @@
-kind: Secret
-minio_access_key: ENC[AES256_GCM,data:4MC50gc06VvP9BViitovlw==,iv:Bu8c986MyeHrMioPYlBG/zSzFv4EOytxTHkXZzI6Iow=,tag:EbRlKgdx63M8CDNa/8RrWQ==,type:str]
-minio_secret_key: ENC[AES256_GCM,data:zd7bC1c3pam4xqcsaZOf3A==,iv:8K8x9dcsByZ60pytIPl9ESUbZeu+7S8Z+faQEewDZB8=,tag:3/5b8ZzAIqrVtf37eziwjg==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPVy9DRjhqOW05Wm4rNXZo
-            bFJxem9UZjNSQW5UaTRZaWQ1clZQSHJrNHpVCmo3Y0RPd1BRRC9ZZHJ0SndSUXJv
-            UkpPWTNOUWFPL1hCUGJrTFBPZml5QncKLS0tIGI5UUJKMXR0d1d3ZzRDSURuWVFl
-            ZFlyQ1lGbnVPaSs4cytQYzNwRnJabmcKP0ogZqsaoD6heCqmObwttBgE039aLqe2
-            R55NPkQJJyFSbDbdDmPApE4IwtXay54QGw2RR4AxOZW4G2dWhdzP3w==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-01-09T13:25:29Z"
-    mac: ENC[AES256_GCM,data:ro+P8PAr0YDuer3CBf7XBIBz+YlnHGCDGIkKFw1TRvEeJNgNFF6mv+voPyiTFIHRh/541MNlzEyRpc0As1PHU/7O2SLBqKA3GnzaLM4s/5Euu7pXTFl3jtIXtTe1DMGTWmyvyqSNXEoEhPmjFn0bMXKhrINuVWxYkDspZxnnOe4=,iv:MZjiTvWIPacX55RZfVh8qUmVsNPMJaZcJIc8JmxuUag=,tag:Q6MnDbByAno9pwH0xWTKMA==,type:str]
-    pgp: []
-    unencrypted_regex: ^(kind)$
-    version: 3.8.1

ansible/inventory/host_vars/postgresql_v15.yml

@@ -0,0 +1 @@
+postgresql_version: 15

ansible/inventory/host_vars/postgresql_v16.yml

@@ -0,0 +1 @@
+postgresql_version: 16

ansible/inventory/host_vars/truenas-remote.yaml

@@ -1,4 +1,3 @@
 main_nas: false
 pool_name: vol1
 snapshots_interval: "daily:14,weekly:12,monthly:12,yearly:3"
-uptime_kuma_id_truenas_cert: Oxu1GVb5tl

ansible/inventory/host_vars/truenas.sops.yaml

@@ -2,6 +2,9 @@ kind: Secret
 root_api_key: ENC[AES256_GCM,data:Fhj1MGeHxe/A6O7uVjMrCEu7J4rsiWrhbXgbAenb5CunoRPu0XLV/227WAFc4wFkboFNnt3bjzugvdvM5w/0JSry,iv:7uuHkrSKGShhIso8RgIJsOSYOxBiyyM/D5Dg+IGDh1Y=,tag:dP4gfIIUAEBUm91h5IHSug==,type:str]
 ansible_password: ENC[AES256_GCM,data:zRaOy+b26VWMCVIPKLU=,iv:S+BX0fqVizWTZZr0A4MaXkw/4XhE2Pb+RGPjvnWuUpk=,tag:TUcGk8Hp9Zv17L/pmX4E7g==,type:str]
 ansible_become_pass: ENC[AES256_GCM,data:xGVU7dW/MMI9bV6Vz+M=,iv:6/ikVQfHxjdCy5KKT+Yksj/OFws2WRcy8oDI2Oay7Eo=,tag:JOLmvpOAIjIHJ/K7Eaoxjw==,type:str]
+minio_access_key: ENC[AES256_GCM,data:S4jElnraMiUip89QcF9VjQ==,iv:gSgUnDPTgIyXvmXt/ocIB3v6Dcq+c8ADrmQXVwgXVAM=,tag:ykHGBcHbZ431gvkxp6q+iA==,type:str]
+minio_secret_key: ENC[AES256_GCM,data:kfeIRjsEGFAsQmVw9QsyoA==,iv:milmhE0Y2mdW6Yx910IsRRwNO7JxsYhUL5wBDTOUBLU=,tag:Ghy68+5i4m/0+IIve23YJQ==,type:str]
+postgresql_password: ENC[AES256_GCM,data:Fm/TW9zb36GzPOstV2kt96WJPAJ/0ylsSKDzzJdLmmsUQINSsXag5g==,iv:KkdOsbTN8i6taJXpavBTXCcJhRyMzmwf3gjh/nubu5M=,tag:0wWqT3ij2mudjT/vZT9OjA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -17,8 +20,8 @@ sops:
             aG5zWW1XclBOS2cxMkwzZ3c1R1psNGsKzeSHHV7AYXCUNiiXJlBRFVWMZtfK3naj
             VRtF22+DYfjumQuwam2ZzhdLQ//1ciHnkJc58dKeTbYUHzC+fWpaZQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-07-21T19:48:18Z"
+    lastmodified: "2024-01-14T10:19:17Z"
-    mac: ENC[AES256_GCM,data:nBonR9Ab5aY+F7w0HE+TRLScRtF5cQNxh3Uvc7jewiLnieolRQtfNiGzKk4YRgqFV8zRTbwS0jvpiqynhxl/ctIKWl2odVDrNkZljidn3jbSz5HUp+f6zxP3DCRXzsBFpunDT8CSdHBhdUWv+82WtFwg2pLH+nTtY11QkH4rQQk=,iv:ILeqDNEEPnb0serEObPMA2LC16ddScH1NwOiZ0M0EHo=,tag:puyv0jvBkCm/X/za6u3oVA==,type:str]
+    mac: ENC[AES256_GCM,data:51zO9hPDmKOQN3ui9+/4tHVg+xYIoNw0y/BQ/f0QSW968ZhotHftQqLS7i9h14871zWPI8/J7m7hWb4X8LIS4Hn8Bf6PsBt6efm0QSsNvvaiUUwisn/WgbQXp7fF6NyN3f1beHJAm5a/qmVbuCYwySwDlZfAbrHnyY3ogq3dKjs=,iv:V2F4Dc7VxodM6d6ioD8tROjwPcU671a8IZzm8GWpihc=,tag:5JU0/QzcGjn2xJLbSB/tJA==,type:str]
     pgp: []
     unencrypted_regex: ^(kind)$
-    version: 3.7.3
+    version: 3.8.1

ansible/inventory/host_vars/truenas.yaml

@@ -1,5 +1,6 @@
 main_nas: true
 pool_name: storage
-service_s3: true
+iocage_pool_name: apps
+postgresql_pool_name: apps
+minio_pool_name: storage
 snapshots_interval: "daily:14,weekly:12,monthly:3"
-uptime_kuma_id_truenas_cert: f8nAZOHoQb

ansible/inventory/hosts.yml

@@ -1,21 +1,21 @@
 ---
 all:
   hosts:
-    localhost:
-      ansible_connection: local
-      ansible_python_interpreter: /usr/bin/python3
     coreelec:
       ansible_host: coreelec.{{ secret_domain }}
       ansible_user: root
-    minio:
-      ansible_host: 192.168.9.14
-      ansible_user: minio
   children:
     truenas-instances:
       hosts:
         truenas:
           ansible_host: truenas.{{ secret_domain }}
         truenas-remote:
+          ansible_host: truenas-remote.{{ secret_domain }}
           ansible_port: 35875
       vars:
         ansible_user: homelab
+    truenas-jails:
+      hosts:
+        minio_v2:
+        postgresql_v15:
+        postgresql_v16:

ansible/roles/truenas/handlers/main.yml

@@ -1,7 +0,0 @@
----
-- name: restart postgresql
-  ansible.builtin.service:
-    name: postgresql
-    state: restarted
-  delegate_to: "{{ postgres_jail_ip.stdout }}"
-  remote_user: root

ansible/roles/truenas/tasks/jails/init.yml

@@ -0,0 +1,32 @@
+---
+- block:
+  - name: jail-init | {{ outside_item.item }} | start jail
+    ansible.builtin.shell:
+      cmd: iocage list | grep -q '^.*\s{{ outside_item.item }}\s.*\sdown\s.*$' && iocage start {{ outside_item.item }}
+    failed_when: false
+
+  - name: jail-init | {{ outside_item.item }} | create .ssh directory
+    ansible.builtin.shell:
+      cmd: iocage exec {{ outside_item.item }} 'mkdir -p /root/.ssh; echo "" > /root/.ssh/authorized_keys; chmod 700 /root/.ssh; chmod 600 /root/.ssh/authorized_keys'
+
+  - name: jail-init | {{ outside_item.item }} | deploy ssh keys
+    ansible.builtin.shell:
+      cmd: iocage exec {{ outside_item.item }} 'echo "{{ item }}" >> /root/.ssh/authorized_keys'
+    loop: "{{ public_ssh_keys }}"
+
+  - name: jail-init | {{ outside_item.item }} | activate sshd
+    ansible.builtin.shell:
+      cmd: iocage exec {{ outside_item.item }} 'sysrc sshd_enable="YES"'
+
+  - name: jail-init | {{ outside_item.item }} | sshd permit root login
+    ansible.builtin.shell:
+      cmd: iocage exec {{ outside_item.item }} 'echo "PermitRootLogin yes" >> /etc/ssh/sshd_config'
+
+  - name: jail-init | {{ outside_item.item }} | start sshd
+    ansible.builtin.shell:
+      cmd: iocage exec {{ outside_item.item }} 'service sshd start'
+
+  - name: jail-init | {{ outside_item.item }} | install packages
+    ansible.builtin.shell:
+      cmd: iocage exec {{ outside_item.item }} 'pkg install -y python39 bash sudo; ln -s /usr/local/bin/bash /bin/bash'
+  become: true

ansible/roles/truenas/tasks/jails/main.yml

@@ -0,0 +1,42 @@
+---
+- name: jails | check if jail exist
+  ansible.builtin.shell:
+    cmd: iocage list --header | awk '{print $2}' | grep --word-regexp {{ item }}
+  loop: "{{ groups['truenas-jails'] }}"
+  register: jails_check
+  changed_when: false
+  failed_when: jails_check.rc != 0 and jails_check.rc != 1
+
+- name: jails | is iocage fetch required
+  ansible.builtin.set_fact:
+    jail_missing: true
+  loop: "{{ jails_check.results }}"
+  when: item.rc == 1
+
+- block:
+    - name: jails | get current FreeBSD release
+      ansible.builtin.shell:
+        cmd: freebsd-version | cut -d '-' -f 1-2
+      register: release
+      failed_when: release.rc != 0
+
+    - name: jails | fetch iocage template {{ release.stdout }}
+      ansible.builtin.shell:
+        cmd: iocage fetch -r {{ release.stdout }}
+      become: true
+
+    - name: jails | create jail
+      ansible.builtin.shell:
+        cmd: iocage create -r {{ release.stdout }} -n {{ item.item }} dhcp=on boot=on
+      loop: "{{ jails_check.results }}"
+      when: item.rc == 1
+      become: true
+
+    - name: jails | init jails
+      ansible.builtin.include_tasks: init.yml
+      loop: "{{ jails_check.results }}"
+      loop_control:
+        loop_var: outside_item
+      when: outside_item.rc == 1
+
+  when: jail_missing

ansible/roles/truenas/tasks/jails/minio-conf.yml

@@ -0,0 +1,70 @@
+---
+- name: jail-minio | get jail ip
+  ansible.builtin.shell:
+    cmd: iocage exec minio_v2 ifconfig epair0b | grep 'inet' | awk -F ' ' '{ print $2 }'
+  changed_when: false
+  register: minio_jail_ip
+  become: true
+
+- name: jail-minio_v2 | copy letsencrypt certificate
+  ansible.builtin.copy:
+    src: /mnt/{{ pool_name }}/home/homelab/letsencrypt/xpander.ovh/{{ item.src }}
+    remote_src: true
+    dest: /mnt/{{ iocage_pool_name }}/iocage/jails/minio_v2/root/home/minio/certs/{{ item.dest }}
+    owner: 1002
+    group: 1002
+    mode: 0600
+  loop:
+    - { src: "fullchain.pem", dest: "public.crt" }
+    - { src: "key.pem", dest: "private.key" }
+  register: certificates
+  become: true
+
+- block:
+  - name: jail-minio | install minio
+    ansible.builtin.pkgng:
+      name:
+        - minio
+        - curl
+      state: present
+    register: installation
+
+  - name: jail-minio | create minio configuration in /etc/rc.conf
+    ansible.builtin.blockinfile:
+      path: /etc/rc.conf
+      state: present
+      block: |
+        # MINIO
+        minio_enable="YES"
+        minio_address=":9000"
+        minio_console_address=":9001"
+        minio_disks="/mnt/data"
+        minio_certs="/home/minio/certs"
+        minio_env="MINIO_ACCESS_KEY={{ minio_access_key }} MINIO_SECRET_KEY={{ minio_secret_key }}"
+    no_log: false
+    register: configuration
+
+  - name: jail-minio | restart minio service
+    ansible.builtin.service:
+      name: minio
+      state: restarted
+      enabled: true
+    when: configuration.changed == true or installation.changed == true or certificates.changed == true
+
+  - name: jail-minio | wait for 5 seconds
+    ansible.builtin.pause:
+      seconds: 5
+
+  - name: jail-minio | check minio service
+    ansible.builtin.command: curl -s localhost:9000/minio/health/live
+    register: curl_result
+    ignore_errors: true
+    changed_when: false
+
+  - name: jail-minio | fail if curl command failed
+    ansible.builtin.fail:
+      msg: 'Curl command failed'
+    when: curl_result.rc != 0
+
+  delegate_to: "{{ minio_jail_ip.stdout }}"
+  remote_user: root

ansible/roles/truenas/tasks/jails/minio-init.yml

@@ -0,0 +1,32 @@
+---
+- block:
+    - name: jail-minio_v2_v2 | create zfs pools
+      community.general.zfs:
+        name: "{{ minio_pool_name }}/minio_v2"
+        state: present
+        extra_zfs_properties:
+          atime: off
+          setuid: off
+
+    - name: jail-minio_v2 | create empty data dir
+      ansible.builtin.shell:
+        cmd: iocage exec minio_v2 mkdir -p /mnt/data
+
+    - name: jail-minio_v2 | mount data
+      ansible.builtin.shell:
+        cmd: iocage fstab -a minio /mnt/{{ minio_pool_name }}/minio /mnt/data nullfs rw 0 0
+
+    - name: jail-minio_v2 | change create minio user
+      ansible.builtin.shell:
+        cmd: iocage exec minio_v2 'pw useradd minio -u 1002 -g 1002 -d /home/minio -m'
+
+    - name: jail-minio_v2 | change owner on data dir
+      ansible.builtin.shell:
+        cmd: iocage exec minio_v2 'chown 1002:1002 /mnt/data'
+
+    - name: jail-minio_v2 | create certificates folder
+      ansible.builtin.file:
+        path: /mnt/{{ iocage_pool_name }}/iocage/jails/minio_v2/root/home/minio/certs
+        owner: 1002
+        group: 1002
+  become: true

ansible/roles/truenas/tasks/jails/postgresql-conf.yml

@@ -0,0 +1,64 @@
+---
+- name: jail-{{ outside_item.item }} | get jail ip
+  ansible.builtin.shell:
+    cmd: iocage exec {{ outside_item.item }} ifconfig epair0b | grep 'inet' | awk -F ' ' '{ print $2 }'
+  changed_when: false
+  register: postgresql_jail_ip
+  become: true
+
+- name: jail-{{ outside_item.item }} | copy letsencrypt certificate
+  ansible.builtin.copy:
+    src: /mnt/{{ pool_name }}/home/homelab/letsencrypt/xpander.ovh/{{ item.src }}
+    remote_src: true
+    dest: /mnt/{{ postgresql_pool_name }}/postgresql/data{{ hostvars[outside_item.item]['postgresql_version'] }}/{{ item.dest }}
+    owner: 770
+    group: 770
+    mode: 0600
+  loop:
+    - { src: "fullchain.pem", dest: "server.crt" }
+    - { src: "key.pem", dest: "server.key" }
+  register: certificates
+  become: true
+  tags:
+    - certificates
+
+- block:
+  - name: jail-{{ outside_item.item }} | configure pg_hba
+    ansible.builtin.template:
+      src: postgresql/pg_hba.conf
+      dest: /var/db/postgres/data{{ hostvars[outside_item.item]['postgresql_version'] }}/pg_hba.conf
+      owner: postgres
+      group: postgres
+    register: pg_hba
+
+  - name: jail-{{ outside_item.item }} | postgresql configuration
+    community.postgresql.postgresql_set:
+      name: "{{ item.name }}"
+      value: "{{ item.value }}"
+    loop:
+      # listen to all addresses
+      - { name: 'listen_addresses', value: '*' }
+      # disable full page writes because of ZFS
+      - { name: 'full_page_writes', value: 'off' }
+      # SSL configuration
+      - { name: 'ssl', value: 'on' }
+      - { name: 'ssl_cert_file', value: 'server.crt' }
+      - { name: 'ssl_key_file', value: 'server.key' }
+      - { name: 'ssl_prefer_server_ciphers', value: 'on' }
+    loop_control:
+      loop_var: item
+    become: true
+    vars:
+      ansible_become_user: postgres
+    register: pg_conf
+
+  - name: restart postgresql
+    ansible.builtin.service:
+      name: postgresql
+      state: reloaded
+    when: certificates.changed or pg_hba.changed or pg_conf.changed
+    tags:
+      - certificates
+
+  delegate_to: "{{ postgresql_jail_ip.stdout }}"
+  remote_user: root

ansible/roles/truenas/tasks/jails/postgresql-init.yml

@@ -0,0 +1,134 @@
+---
+- name: jail-{{ outside_item.item }} | get jail ip
+  ansible.builtin.shell:
+    cmd: iocage exec {{ outside_item.item }} ifconfig epair0b | grep 'inet' | awk -F ' ' '{ print $2 }'
+  changed_when: false
+  register: postgresql_jail_ip
+  become: true
+
+- block:
+    - name: jail-{{ outside_item.item }} | create zfs pools
+      community.general.zfs:
+        name: "{{ item }}"
+        state: present
+      loop:
+        - "{{ postgresql_pool_name }}/postgresql"
+        - "{{ postgresql_pool_name }}/postgresql/data{{ hostvars[outside_item.item]['postgresql_version'] }}"
+
+    - name: jail-{{ outside_item.item }} | configure zfs pool postgresql
+      community.general.zfs:
+        name: "{{ postgresql_pool_name }}/postgresql"
+        state: present
+        extra_zfs_properties:
+          atime: off
+          setuid: off
+
+    - name: jail-{{ outside_item.item }} | create empty data{{ hostvars[outside_item.item]['postgresql_version'] }} dir
+      ansible.builtin.shell:
+        cmd: iocage exec {{ outside_item.item }} mkdir -p /var/db/postgres/data{{ hostvars[outside_item.item]['postgresql_version'] }}
+
+    - name: jail-{{ outside_item.item }} | mount data{{ hostvars[outside_item.item]['postgresql_version'] }}
+      ansible.builtin.shell:
+        cmd: iocage fstab -a {{ outside_item.item }} /mnt/{{ postgresql_pool_name }}/postgresql/data{{ hostvars[outside_item.item]['postgresql_version'] }} /var/db/postgres/data{{ hostvars[outside_item.item]['postgresql_version'] }} nullfs rw 0 0
+  become: true
+
+- block:
+    - name: jail-{{ outside_item.item }} | packages
+      community.general.pkgng:
+        name:
+          - postgresql{{ hostvars[outside_item.item]['postgresql_version'] }}-server
+          - postgresql{{ hostvars[outside_item.item]['postgresql_version'] }}-contrib
+          - postgresql{{ hostvars[outside_item.item]['postgresql_version'] }}-client
+          - py39-pip
+        state: present
+
+    - name: jail-{{ outside_item.item }} | pip packages
+      ansible.builtin.pip:
+        name: psycopg2
+        state: present
+
+    - name: jail-{{ outside_item.item }} | change postgres/data{{ hostvars[outside_item.item]['postgresql_version'] }} mod
+      ansible.builtin.file:
+        path: /var/db/postgres/data{{ hostvars[outside_item.item]['postgresql_version'] }}
+        owner: postgres
+        group: postgres
+
+    - name: jail-{{ outside_item.item }} | initdb
+      ansible.builtin.shell:
+        cmd: su -m postgres -c 'initdb -E UTF-8 /var/db/postgres/data{{ hostvars[outside_item.item]['postgresql_version'] }}'
+
+    - name: jail-{{ outside_item.item }} | move base and pg_wal
+      ansible.builtin.shell:
+        cmd: su -m postgres -c 'mv /var/db/postgres/data{{ hostvars[outside_item.item]['postgresql_version'] }}/{{ item }} /var/db/postgres/data{{ hostvars[outside_item.item]['postgresql_version'] }}/{{ item }}0'
+      loop:
+        - base
+        - pg_wal
+
+    - name: jail-{{ outside_item.item }} | create base and pg_wal empty dirs
+      ansible.builtin.file:
+        path: /var/db/postgres/data{{ hostvars[outside_item.item]['postgresql_version'] }}/{{ item }}
+        state: directory
+        owner: postgres
+        group: postgres
+      loop:
+        - base
+        - pg_wal
+
+  delegate_to: "{{ postgresql_jail_ip.stdout }}"
+  remote_user: root
+
+- block:
+    - name: jail-{{ outside_item.item }} | create missing zfs pools
+      community.general.zfs:
+        name: "{{ item }}"
+        state: present
+      loop:
+        - "{{ postgresql_pool_name }}/postgresql/data{{ hostvars[outside_item.item]['postgresql_version'] }}/base"
+        - "{{ postgresql_pool_name }}/postgresql/data{{ hostvars[outside_item.item]['postgresql_version'] }}/pg_wal"
+
+    - name: jail-{{ outside_item.item }} | mount base
+      ansible.builtin.shell:
+        cmd: iocage fstab -a {{ outside_item.item }} /mnt/{{ postgresql_pool_name }}/postgresql/data{{ hostvars[outside_item.item]['postgresql_version'] }}/{{ item }} /var/db/postgres/data{{ hostvars[outside_item.item]['postgresql_version'] }}/{{ item }} nullfs rw 0 0
+      loop:
+        - base
+        - pg_wal
+
+  become: true
+
+- block:
+    - name: jail-{{ outside_item.item }} | move base and pg_wal content to mounts
+      ansible.builtin.shell:
+        cmd: mv /var/db/postgres/data{{ hostvars[outside_item.item]['postgresql_version'] }}/{{ item }}0/* /var/db/postgres/data{{ hostvars[outside_item.item]['postgresql_version'] }}/{{ item }}/; rmdir /var/db/postgres/data{{ hostvars[outside_item.item]['postgresql_version'] }}/{{ item }}0
+      loop:
+        - base
+        - pg_wal
+
+    - name: jail-{{ outside_item.item }} | change mod
+      ansible.builtin.file:
+        path: /var/db/postgres/data{{ hostvars[outside_item.item]['postgresql_version'] }}/{{ item }}
+        state: directory
+        owner: postgres
+        group: postgres
+        recurse: true
+      loop:
+        - base
+        - pg_wal
+
+    - name: jail-{{ outside_item.item }} | enable postgresql service
+      community.general.sysrc:
+        name: postgresql_enable
+        state: present
+        value: "YES"
+
+    - name: jail-{{ outside_item.item }} | start postgresql service
+      ansible.builtin.service:
+        name: postgresql
+        state: started
+
+    - name: jail-{{ outside_item.item }} | change postgresql password
+      postgresql_query:
+        login_user: postgres
+        query: ALTER USER postgres PASSWORD '{{ postgresql_password }}'
+
+  delegate_to: "{{ postgresql_jail_ip.stdout }}"
+  remote_user: root

ansible/roles/truenas/tasks/main.yml

@@ -7,3 +7,43 @@
 
 - ansible.builtin.include_tasks: wireguard.yml
   when: "main_nas == false"
+
+- ansible.builtin.include_tasks: jails/main.yml
+  when: "main_nas"
+
+- block:
+    - ansible.builtin.shell:
+        cmd: test -f /mnt/{{ minio_pool_name }}/minio_v2/.minio.sys/config/config.json/xl.meta
+      register: minio_data_exists
+      become: true
+      changed_when: false
+      failed_when: minio_data_exists.rc != 0 and minio_data_exists.rc != 1
+
+    - ansible.builtin.include_tasks: jails/minio-init.yml
+      when: minio_data_exists.rc == 1
+
+    - ansible.builtin.include_tasks: jails/minio-conf.yml
+      tags:
+        - certificates
+
+    - ansible.builtin.shell:
+        cmd: test -f /mnt/{{ postgresql_pool_name }}/postgresql/data{{ hostvars[item]['postgresql_version'] }}/postgresql.conf
+      loop: "{{ groups['truenas-jails'] | select('search', 'postgresql') | list }}"
+      register: postgresql_data_exists
+      become: true
+      changed_when: false
+      failed_when: postgresql_data_exists.rc != 0 and postgresql_data_exists.rc != 1
+
+    - ansible.builtin.include_tasks: jails/postgresql-init.yml
+      loop: "{{ postgresql_data_exists.results }}"
+      loop_control:
+        loop_var: outside_item
+      when: outside_item.rc == 1
+
+    - ansible.builtin.include_tasks: jails/postgresql-conf.yml
+      loop: "{{ postgresql_data_exists.results }}"
+      loop_control:
+        loop_var: outside_item
+      tags:
+        - certificates
+  when: "main_nas"

ansible/roles/truenas/templates/scripts/snapshots_prune.sh

@@ -11,6 +11,7 @@ POOL_NAME="{{ pool_name }}"
 # Prune
 
 ${SCRIPT_PATH}/snapshots_prune.py --recursive --intervals ${INTERVAL} ${POOL_NAME}
-${SCRIPT_PATH}/snapshots_prune.py --recursive --intervals daily:14 ${POOL_NAME}{% if not main_nas %}/replication/storage{% endif %}/minio
+${SCRIPT_PATH}/snapshots_prune.py --recursive --intervals daily:14 ${POOL_NAME}{% if not main_nas %}/replication/storage{% endif %}/minio_v2
 {% if main_nas %}${SCRIPT_PATH}/snapshots_prune.py --recursive --intervals daily:7 ${POOL_NAME}/video{% endif %}
+
 ${SCRIPT_PATH}/snapshots_clearempty.py --recursive ${POOL_NAME}

ansible/shell.nix

@@ -3,5 +3,6 @@ with pkgs;
   mkShell {
     buildInputs = [
       ansible
+      sshpass
     ];
   }

kubernetes/apps/default/atuin/app/externalsecret.yaml

@@ -15,10 +15,10 @@ spec:
       engineVersion: v2
       data:
         # App
-        ATUIN_DB_URI: "postgres://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASS }}@postgres-rw.default.svc.cluster.local/atuin"
+        ATUIN_DB_URI: "postgres://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASS }}@postgres.${SECRET_DOMAIN}/atuin"
         # Postgres Init
         INIT_POSTGRES_DBNAME: atuin
-        INIT_POSTGRES_HOST: postgres-rw.default.svc.cluster.local
+        INIT_POSTGRES_HOST: postgres.${SECRET_DOMAIN}
         INIT_POSTGRES_USER: "{{ .POSTGRES_USER }}"
         INIT_POSTGRES_PASS: "{{ .POSTGRES_PASS }}"
         INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
@@ -26,4 +26,4 @@ spec:
     - extract:
         key: atuin
     - extract:
-        key: cloudnative-pg
+        key: generic

kubernetes/apps/default/atuin/app/helmrelease.yaml

@@ -33,9 +33,8 @@ spec:
         initContainers:
           init-db:
             image:
-              repository: ghcr.io/auricom/postgres-init
+              repository: ghcr.io/onedr0p/postgres-init
-              tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0
+              tag: 16
-              pullPolicy: IfNotPresent
             envFrom: &envFrom
               - secretRef:
                   name: atuin-secret

kubernetes/apps/default/atuin/ks.yaml

@@ -7,7 +7,6 @@ metadata:
   namespace: flux-system
 spec:
   dependsOn:
-    - name: cluster-apps-cloudnative-pg-cluster
     - name: cluster-apps-external-secrets-stores
   path: ./kubernetes/apps/default/atuin/app
   prune: true

kubernetes/apps/default/authelia/app/externalsecret.yaml

@@ -22,12 +22,13 @@ spec:
         AUTHELIA_SESSION_SECRET: "{{ .AUTHELIA_SESSION_SECRET }}"
         AUTHELIA_STORAGE_ENCRYPTION_KEY: "{{ .AUTHELIA_STORAGE_ENCRYPTION_KEY }}"
         AUTHELIA_STORAGE_POSTGRES_DATABASE: &dbName authelia
-        AUTHELIA_STORAGE_POSTGRES_HOST: &dbHost postgres-rw.default.svc.cluster.local
+        AUTHELIA_STORAGE_POSTGRES_HOST: &dbHost postgres.${SECRET_DOMAIN}
         AUTHELIA_STORAGE_POSTGRES_USERNAME: &dbUser "{{ .AUTHELIA_STORAGE_POSTGRES_USERNAME }}"
         AUTHELIA_STORAGE_POSTGRES_PASSWORD: &dbPass "{{ .AUTHELIA_STORAGE_POSTGRES_PASSWORD }}"
+        AUTHELIA_STORAGE_POSTGRES_TLS_SERVER_NAME: *dbHost
+        AUTHELIA_STORAGE_POSTGRES_TLS_SKIP_VERIFY: "false"
         GRAFANA_OAUTH_CLIENT_SECRET: "{{ .GRAFANA_OAUTH_CLIENT_SECRET }}"
         IMMICH_OAUTH_CLIENT_SECRET: "{{ .IMMICH_OAUTH_CLIENT_SECRET }}"
-        MINIFLUX_OAUTH_CLIENT_SECRET: "{{ .MINIFLUX_OAUTH_CLIENT_SECRET }}"
         WEAVEGITOPS_OAUTH_CLIENT_SECRET: "{{ .WEAVEGITOPS_OAUTH_CLIENT_SECRET }}"
         GITEA_OAUTH_CLIENT_SECRET: "{{ .GITEA_OAUTH_CLIENT_SECRET }}"
         # Postgres Init
@@ -39,7 +40,7 @@ spec:
   dataFrom:
     - extract:
         key: authelia
-    - extract:
-        key: cloudnative-pg
     - extract:
         key: lldap
+    - extract:
+        key: generic

kubernetes/apps/default/authelia/app/helmrelease.yaml

@@ -51,10 +51,10 @@ spec:
           reloader.stakater.com/auto: "true"
         initContainers:
           init-db:
+            order: 1
             image:
-              repository: ghcr.io/auricom/postgres-init
+              repository: ghcr.io/onedr0p/postgres-init
-              tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0
+              tag: 16
-              pullPolicy: IfNotPresent
             envFrom: &envFrom
               - secretRef:
                   name: authelia-secret
@@ -94,8 +94,6 @@ spec:
               AUTHELIA_SESSION_NAME: authelia-home-ops
               AUTHELIA_SESSION_REDIS_HOST: authelia-redis.default.svc.cluster.local.
               AUTHELIA_SESSION_REDIS_PORT: 6379
-              AUTHELIA_STORAGE_POSTGRES_DATABASE: authelia
-              AUTHELIA_STORAGE_POSTGRES_HOST: ${POSTGRES_HOST}
               AUTHELIA_TELEMETRY_METRICS_ADDRESS: tcp://0.0.0.0:8080
               AUTHELIA_TELEMETRY_METRICS_ENABLED: "true"
               AUTHELIA_THEME: dark

kubernetes/apps/default/authelia/ks.yaml

@@ -8,7 +8,6 @@ metadata:
 spec:
   dependsOn:
     - name: cluster-apps-authelia-redis
-    - name: cluster-apps-cloudnative-pg-cluster
     - name: cluster-apps-external-secrets-stores
   path: ./kubernetes/apps/default/authelia/app
   prune: true

kubernetes/apps/default/babybuddy/app/externalsecret.yaml

@@ -16,7 +16,7 @@ spec:
       data:
         # App
         DB_NAME: &dbName babybuddy
-        DB_HOST: &dbHost postgres-rw.default.svc.cluster.local
+        DB_HOST: &dbHost postgres.${SECRET_DOMAIN}
         DB_USER: &dbUser "{{ .POSTGRES_USER }}"
         DB_PASS: &dbPass "{{ .POSTGRES_PASS }}"
         SECRET_KEY: "{{ .BABYBUDDY_SECRET_KEY }}"
@@ -32,4 +32,4 @@ spec:
     - extract:
         key: babybuddy
     - extract:
-        key: cloudnative-pg
+        key: generic

kubernetes/apps/default/babybuddy/app/helmrelease.yaml

@@ -33,15 +33,16 @@ spec:
           reloader.stakater.com/auto: "true"
         type: statefulset
         initContainers:
-          01-init-db:
+          init-db:
+            order: 1
             image:
-              repository: ghcr.io/auricom/postgres-init
+              repository: ghcr.io/onedr0p/postgres-init
-              tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0
+              tag: 16
-              pullPolicy: IfNotPresent
             envFrom: &envFrom
               - secretRef:
                   name: babybuddy-secret
-          02-migrations:
+          migrations:
+            order: 2
             image:
               repository: ghcr.io/auricom/babybuddy
               tag: 2.1.2@sha256:c5529ddb13b5e704ba997c3f555f5e4dcf9f83080370bbb00eef22a10b2c2915
@@ -74,14 +75,14 @@ spec:
               requests:
                 cpu: 100m
                 memory: 256Mi
-        statefulset:
+        # statefulset:
-          volumeClaimTemplates:
+        #   volumeClaimTemplates:
-            - name: config
+        #     - name: config
-              accessMode: ReadWriteOnce
+        #       accessMode: ReadWriteOnce
-              size: 1Gi
+        #       size: 1Gi
-              storageClass: rook-ceph-block
+        #       storageClass: rook-ceph-block
-              globalMounts:
+        #       globalMounts:
-                - path: /config
+        #         - path: /config
     service:
       main:
         ports:

kubernetes/apps/default/babybuddy/ks.yaml

@@ -12,9 +12,8 @@ spec:
     kind: GitRepository
     name: home-ops-kubernetes
   dependsOn:
-    - name: cluster-apps-cloudnative-pg-cluster
     - name: cluster-apps-external-secrets-stores
-    - name: cluster-apps-volsync-app
+    # - name: cluster-apps-volsync-app
   interval: 30m
   retryInterval: 1m
   timeout: 3m

kubernetes/apps/default/bazarr/app/externalsecret.yaml

@@ -17,7 +17,7 @@ spec:
         # App
         POSTGRES_ENABLED: "true"
         POSTGRES_DATABASE: &dbName bazarr
-        POSTGRES_HOST: &dbHost postgres-rw.default.svc.cluster.local
+        POSTGRES_HOST: &dbHost postgres.${SECRET_DOMAIN}
         POSTGRES_USERNAME: &dbUser "{{ .POSTGRES_USER }}"
         POSTGRES_PASSWORD: &dbPass "{{ .POSTGRES_PASS }}"
         POSTGRES_PORT: "5432"
@@ -31,4 +31,4 @@ spec:
     - extract:
         key: bazarr
     - extract:
-        key: cloudnative-pg
+        key: generic

kubernetes/apps/default/bazarr/app/helmrelease.yaml

@@ -45,10 +45,10 @@ spec:
           reloader.stakater.com/auto: "true"
         initContainers:
           init-db:
+            order: 1
             image:
-              repository: ghcr.io/auricom/postgres-init
+              repository: ghcr.io/onedr0p/postgres-init
-              tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0
+              tag: 16
-              pullPolicy: IfNotPresent
             envFrom: &envFrom
               - secretRef:
                   name: atuin-secret

kubernetes/apps/default/bazarr/ks.yaml

@@ -7,7 +7,6 @@ metadata:
   namespace: flux-system
 spec:
   dependsOn:
-    - name: cluster-apps-cloudnative-pg-cluster
     - name: cluster-apps-external-secrets-stores
     - name: cluster-apps-volsync-app
   path: ./kubernetes/apps/default/bazarr/app

kubernetes/apps/default/cloudnative-pg/cluster/cluster.yaml

@@ -39,7 +39,7 @@ spec:
   #   - name: postgres-v6
   #     barmanObjectStore:
   #       destinationPath: s3://postgresql/
-  #       endpointURL: http://minio.${SECRET_DOMAIN}:9000
+  #       endpointURL: https://minio.${SECRET_DOMAIN}:9000
   #       s3Credentials:
   #         accessKeyId:
   #           name: postgres-minio

kubernetes/apps/default/freshrss/app/externalsecret.yaml

@@ -16,12 +16,12 @@ spec:
       data:
         # Postgres Init
         INIT_POSTGRES_DBNAME: freshrss
-        INIT_POSTGRES_HOST: postgres-rw.default.svc.cluster.local
+        INIT_POSTGRES_HOST: postgres.${SECRET_DOMAIN}
         INIT_POSTGRES_USER: "{{ .POSTGRES_USER }}"
         INIT_POSTGRES_PASS: "{{ .POSTGRES_PASS }}"
         INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
   dataFrom:
     - extract:
-        key: cloudnative-pg
+        key: generic
     - extract:
         key: freshrss

kubernetes/apps/default/freshrss/app/helmrelease.yaml

@@ -34,10 +34,10 @@ spec:
           reloader.stakater.com/auto: "true"
         initContainers:
           init-db:
+            order: 1
             image:
-              repository: ghcr.io/auricom/postgres-init
+              repository: ghcr.io/onedr0p/postgres-init
-              tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0
+              tag: 16
-              pullPolicy: IfNotPresent
             envFrom: &envFrom
               - secretRef:
                   name: freshrss-secret

kubernetes/apps/default/freshrss/ks.yaml

@@ -12,7 +12,6 @@ spec:
     kind: GitRepository
     name: home-ops-kubernetes
   dependsOn:
-    - name: cluster-apps-cloudnative-pg-cluster
     - name: cluster-apps-external-secrets-stores
     - name: cluster-apps-volsync-app
   interval: 30m

kubernetes/apps/default/ghostfolio/app/externalsecret.yaml

@@ -16,16 +16,16 @@ spec:
       data:
         # App
         ACCESS_TOKEN_SALT: "{{ .GHOSTFOLIO_ACCESS_TOKEN_SALT }}"
-        DATABASE_URL: postgresql://{{ .POSTGRES_USERNAME }}:{{ .POSTGRES_PASSWORD }}@postgres-rw.default.svc.cluster.local:5432/ghostfolio
+        DATABASE_URL: postgresql://{{ .POSTGRES_USERNAME }}:{{ .POSTGRES_PASSWORD }}@postgres.${SECRET_DOMAIN}:5432/ghostfolio
         JWT_SECRET_KEY: "{{ .GHOSTFOLIO_JWT_SECRET_KEY }}"
         # Postgres Init
         INIT_POSTGRES_DBNAME: ghostfolio
-        INIT_POSTGRES_HOST: postgres-rw.default.svc.cluster.local
+        INIT_POSTGRES_HOST: postgres.${SECRET_DOMAIN}
         INIT_POSTGRES_USER: "{{ .POSTGRES_USERNAME }}"
         INIT_POSTGRES_PASS: "{{ .POSTGRES_PASSWORD }}"
         INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
   dataFrom:
     - extract:
-        key: cloudnative-pg
+        key: generic
     - extract:
         key: ghostfolio

kubernetes/apps/default/ghostfolio/app/helmrelease.yaml

@@ -37,9 +37,8 @@ spec:
         initContainers:
           init-db:
             image:
-              repository: ghcr.io/auricom/postgres-init
+              repository: ghcr.io/onedr0p/postgres-init
-              tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0
+              tag: 16
-              pullPolicy: IfNotPresent
             envFrom: &envFrom
               - secretRef:
                   name: ghostfolio-secret

kubernetes/apps/default/ghostfolio/ks.yaml

@@ -12,7 +12,6 @@ spec:
     kind: GitRepository
     name: home-ops-kubernetes
   dependsOn:
-    - name: cluster-apps-cloudnative-pg-cluster
     - name: cluster-apps-external-secrets-stores
     - name: cluster-apps-ghostfolio-redis
   interval: 30m

kubernetes/apps/default/hajimari/app/helmrelease.yaml

@@ -67,7 +67,7 @@ spec:
               url: "https://truenas-remote.${SECRET_DOMAIN}"
             - name: minio
               icon: mdi:aws
-              url: "http://minio.${SECRET_DOMAIN}:9000"
+              url: "https://minio.${SECRET_DOMAIN}:9000"
             - name: pikvm
               icon: mdi:ip-network
               url: "https://pikvm.${SECRET_DOMAIN}"

kubernetes/apps/default/home-assistant/app/externalsecret.yaml

@@ -18,17 +18,17 @@ spec:
         HASS_SECRET_ELEVATION: "{{ .HASS_ELEVATION }}"
         HASS_SECRET_LATITUDE: "{{ .HASS_LATITUDE }}"
         HASS_SECRET_LONGITUDE: "{{ .HASS_LONGITUDE }}"
-        HASS_SECRET_DB_URL: "postgresql://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASS }}@postgres-rw.default.svc.cluster.local/home_assistant"
+        HASS_SECRET_DB_URL: "postgresql://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASS }}@postgres.${SECRET_DOMAIN}/home_assistant"
         HASS_SECRET_URL: "{{ .HASS_URL }}"
         PROMETHEUS_TOKEN: "{{ .PROMETHEUS_TOKEN }}"
         # Postgres Init
         INIT_POSTGRES_DBNAME: home_assistant
-        INIT_POSTGRES_HOST: postgres-rw.default.svc.cluster.local
+        INIT_POSTGRES_HOST: postgres.${SECRET_DOMAIN}
         INIT_POSTGRES_USER: "{{ .POSTGRES_USER }}"
         INIT_POSTGRES_PASS: "{{ .POSTGRES_PASS }}"
         INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
   dataFrom:
     - extract:
-        key: cloudnative-pg
+        key: generic
     - extract:
         key: home-assistant

kubernetes/apps/default/home-assistant/app/helmrelease.yaml

@@ -43,9 +43,8 @@ spec:
         initContainers:
           init-db:
             image:
-              repository: ghcr.io/auricom/postgres-init
+              repository: ghcr.io/onedr0p/postgres-init
-              tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0
+              tag: 16
-              pullPolicy: IfNotPresent
             envFrom: &envFrom
               - secretRef:
                   name: home-assistant-secret

kubernetes/apps/default/home-assistant/ks.yaml

@@ -7,7 +7,6 @@ metadata:
   namespace: flux-system
 spec:
   dependsOn:
-    - name: cluster-apps-cloudnative-pg-app
     - name: cluster-apps-external-secrets-stores
     - name: cluster-apps-volsync-app
   path: ./kubernetes/apps/default/home-assistant/app

kubernetes/apps/default/homelab/ks.yaml

@@ -3,7 +3,7 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
-  name: cluster-apps-homnelab-minio
+  name: cluster-apps-homelab-minio
   namespace: flux-system
 spec:
   path: ./kubernetes/apps/default/homelab/minio
@@ -21,7 +21,7 @@ spec:
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
-  name: cluster-apps-homnelab-opnsense
+  name: cluster-apps-homelab-opnsense
   namespace: flux-system
 spec:
   path: ./kubernetes/apps/default/homelab/opnsense
@@ -39,7 +39,7 @@ spec:
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
-  name: cluster-apps-homnelab-truenas
+  name: cluster-apps-homelab-truenas
   namespace: flux-system
 spec:
   path: ./kubernetes/apps/default/homelab/truenas

kubernetes/apps/default/homelab/minio/backup/rclone.conf

@@ -3,7 +3,7 @@ type = s3
 provider = Minio
 access_key_id = __RCLONE_ACCESS_ID__
 secret_access_key = __RCLONE_SECRET_KEY__
-endpoint = http://minio.${SECRET_DOMAIN}:9000
+endpoint = https://minio.${SECRET_DOMAIN}:9000
 acl = private
 
 [gdrive-homelab-backups]

kubernetes/apps/default/homelab/opnsense/backup/helmrelease.yaml

@@ -41,7 +41,7 @@ spec:
             command: ["/bin/bash", "/app/opnsense-backup.sh"]
             env:
               OPNSENSE_URL: "https://opnsense.${SECRET_DOMAIN}"
-              S3_URL: "http://minio.${SECRET_DOMAIN}:9000"
+              S3_URL: "https://minio.${SECRET_DOMAIN}:9000"
             envFrom:
               - secretRef:
                   name: homelab-opnsense-secret

kubernetes/apps/default/homelab/truenas/backup/truenas-backup.sh

@@ -44,7 +44,7 @@ curl -fsSL \
     -H "Date: ${http_request_date}" \
     -H "Content-Type: ${http_content_type}" \
     -H "Authorization: AWS ${AWS_ACCESS_KEY_ID}:${http_signature}" \
-    "http://minio.${SECRET_DOMAIN}:9000/${http_filepath}"
+    "https://minio.${SECRET_DOMAIN}:9000/${http_filepath}"
 
 rm /tmp/backup-*.tar
 

kubernetes/apps/default/homelab/truenas/certs-deploy/helmrelease.yaml

@@ -42,7 +42,8 @@ spec:
             env:
               HOSTNAME: truenas
               TRUENAS_HOME: /mnt/storage/home/homelab
-              CERTS_DEPLOY_S3_ENABLED: "True"
+              CERTS_DEPLOY_MINIO_ENABLED: "True"
+              CERTS_DEPLOY_POSTGRESQL_ENABLED: "True"
             envFrom: &envFrom
               - secretRef:
                   name: &secret homelab-truenas-secret
@@ -54,7 +55,8 @@ spec:
             env:
               HOSTNAME: truenas-remote
               TRUENAS_HOME: /mnt/vol1/home/homelab
-              CERTS_DEPLOY_S3_ENABLED: "False"
+              CERTS_DEPLOY_MINIO_ENABLED: "False"
+              CERTS_DEPLOY_POSTGRESQL_ENABLED: "False"
             envFrom: *envFrom
     service:
       main:

kubernetes/apps/default/homelab/truenas/certs-deploy/truenas-certs-deploy.sh

@@ -12,21 +12,22 @@ if [ "${HOSTNAME}" == "truenas" ]; then
 elif [ "${HOSTNAME}" == "truenas-remote" ]; then
     printf -v truenas_api_key %q "$TRUENAS_REMOTE_API_KEY"
 fi
-printf -v cert_deploy_s3_enabled_str %q "$CERTS_DEPLOY_S3_ENABLED"
+printf -v cert_deploy_minio_enabled_str %q "$CERTS_DEPLOY_MINIO_ENABLED"
+printf -v cert_deploy_postgresql_enabled_str %q "$CERTS_DEPLOY_POSTGRESQL_ENABLED"
 printf -v pushover_api_token_str %q "$PUSHOVER_API_TOKEN"
 printf -v pushover_user_key_str %q "$PUSHOVER_USER_KEY"
 printf -v secret_domain_str %q "$SECRET_DOMAIN"
 
 scp -o StrictHostKeyChecking=no /app/truenas-certs-deploy.py homelab@${HOSTNAME}.${SECRET_DOMAIN}:${TRUENAS_HOME}/scripts/certificates_deploy.py
 
-ssh -o StrictHostKeyChecking=no homelab@${HOSTNAME}.${SECRET_DOMAIN} "/bin/bash -s $truenas_api_key $cert_deploy_s3_enabled_str $pushover_api_token_str $pushover_user_key_str $secret_domain_str" << 'EOF'
+ssh -o StrictHostKeyChecking=no homelab@${HOSTNAME}.${SECRET_DOMAIN} "/bin/bash -s $truenas_api_key $cert_deploy_minio_enabled_str $cert_deploy_postgresql_enabled_str $pushover_api_token_str $pushover_user_key_str $secret_domain_str" << 'EOF'
 
 set -o nounset
 set -o errexit
 
-PUSHOVER_API_TOKEN=$3
+PUSHOVER_API_TOKEN=$4
-PUSHOVER_USER_KEY=$4
+PUSHOVER_USER_KEY=$5
-SECRET_DOMAIN=$5
+SECRET_DOMAIN=$6
 
 # Variables
 TARGET=$(hostname)
@@ -38,8 +39,13 @@ export CERTS_DEPLOY_API_KEY=$1
 export CERTS_DEPLOY_PRIVATE_KEY_PATH=${CERTIFICATE_PATH}/key.pem
 export CERTS_DEPLOY_FULLCHAIN_PATH=${CERTIFICATE_PATH}/fullchain.pem
 if [ "$2" == "True" ]; then
-    export CERTS_DEPLOY_S3_ENABLED=$2
+    export CERTS_DEPLOY_MINIO_ENABLED=$2
 fi
+CERTS_DEPLOY_MINIO_CERT_PATH=/mnt/{{ iocage_pool_name }}/iocage/jails/minio_v2/root/home/minio/certs
+if [ "$3" == "True" ]; then
+    export CERTS_DEPLOY_POSTGRESQL_ENABLED=$3
+fi
+CERTS_DEPLOY_POSTGRESQL_PATH=/mnt/{{ postgresql_pool_name }}/postgresql
 
 # Check if cert is older than 69 days
 result=$(find ${CERTS_DEPLOY_PRIVATE_KEY_PATH} -mtime +69)
@@ -60,8 +66,29 @@ else
         set -o errexit
         echo "INFO - Certificate expires in less than $DAYS days"
         echo "INFO - Deploying new certificate"
-        # Deploy certificate (truenas UI & minio)
+        # Deploy certificate (truenas UI)
         python ${SCRIPT_PATH}/certificates_deploy.py
+        # Copy certificates (minio)
+        if [ "CERTS_DEPLOY_MINIO_ENABLED" == "True" ]; then
+            cp -pr ${CERTS_DEPLOY_PRIVATE_KEY_PATH} ${CERTS_DEPLOY_MINIO_CERT_PATH}/private.key
+            cp -pr ${CERTS_DEPLOY_FULLCHAIN_PATH} ${CERTS_DEPLOY_MINIO_CERT_PATH}/public.crt
+            iocage exec minio_v2 'service minio restart'
+        fi
+        # Copy certificates (postgresql)
+        if [ "CERTS_DEPLOY_POSTGRESQL_ENABLED" == "True" ]; then
+            pg_data_dirs=$(find /mnt/{{ postgresql_pool_name }}/postgresql -type d -maxdepth 1 -name '*data*' -exec basename {} \;)
+            for i in $pg_data_dirs; do
+                cp -pr ${CERTS_DEPLOY_PRIVATE_KEY_PATH} ${CERTS_DEPLOY_POSTGRESQL_PATH}/$i/server.key
+                cp -pr ${CERTS_DEPLOY_FULLCHAIN_PATH} ${CERTS_DEPLOY_POSTGRESQL_PATH}/$i/server.crt
+                iocage exec postgresql_v${i: -2} 'service postgresql reload'
+            done
+        fi
+        curl -s \
+            --form-string "token=${PUSHOVER_API_TOKEN}" \
+            --form-string "user=${PUSHOVER_USER_KEY}" \
+            --form-string "message=New Let's Encrypt certificate deployed on $TARGET." \
+            https://api.pushover.net/1/messages.json
+
     else
         echo "INFO - Certificate expires in more than $DAYS"
     fi

kubernetes/apps/default/homelab/truenas/kustomization.yaml

@@ -7,3 +7,4 @@ resources:
   - ./backup
   - ./certs-deploy
   - ./externalsecret.yaml
+  - ./pgdump

kubernetes/apps/default/homelab/truenas/pgdump/externalsecret.yaml

@@ -0,0 +1,25 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: homelab-truenas-pgdump
+  namespace: default
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  target:
+    name: homelab-truenas-pgdump-secret
+    template:
+      engineVersion: v2
+      data:
+        # App
+        POSTGRES_HOST: postgres.${SECRET_DOMAIN}
+        POSTGRES_USER: "{{ .POSTGRES_SUPER_USER }}"
+        POSTGRES_PASSWORD: "{{ .POSTGRES_SUPER_PASS }}"
+        POSTGRES_PORT: "5432"
+  dataFrom:
+
+    - extract:
+        key: generic

kubernetes/apps/default/homelab/truenas/pgdump/helmrelease.yaml

@@ -0,0 +1,104 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: homelab-truenas-pgdump
+  namespace: default
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: app-template
+      version: 2.4.0
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+  maxHistory: 2
+  install:
+    createNamespace: true
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      retries: 3
+  uninstall:
+    keepHistory: false
+  values:
+    controllers:
+      main:
+        type: cronjob
+        cronjob:
+          concurrencyPolicy: Forbid
+          schedule: "@daily"
+        initContainers:
+          init-db:
+            image:
+              repository: ghcr.io/onedr0p/postgres-init
+              tag: 16
+            env:
+              EXCLUDE_DBS: "home_assistant radarr_log sonarr_log prowlarr_log postgres template0 template1"
+            envFrom: &envFrom
+              - secretRef:
+                  name: homelab-truenas-pgdump-secret
+            command:
+              - "/bin/bash"
+              - "-c"
+              - |
+                #!/bin/bash
+
+                set -o nounset
+                set -o errexit
+
+                # File to store the list of databases
+                OUTPUT_FILE="/config/db_list"
+
+                # Export PG password to avoid password prompt
+                export PGPASSWORD=$POSTGRES_PASSWORD
+
+                # Generate a regex pattern for exclusion
+                EXCLUDE_PATTERN=$(echo $EXCLUDE_DBS | sed 's/ /\\|/g')
+
+                # List all databases, exclude the ones in EXCLUDE_DBS, and write to the file
+                psql -h $POSTGRES_HOST -p $POSTGRES_PORT -U $POSTGRES_USER -lqt | \
+                cut -d \| -f 1 | \
+                grep -Ev "^\s*($EXCLUDE_PATTERN)\s*$" > "$OUTPUT_FILE"
+
+                # Unset PG password
+                unset PGPASSWORD
+
+                echo "Database list saved to $OUTPUT_FILE"
+
+                cat $OUTPUT_FILE
+        containers:
+          main:
+            image:
+              repository: prodrigestivill/postgres-backup-local
+              tag: 16-alpine
+            command: ["/backup.sh"]
+            env:
+              POSTGRES_DB_FILE: /config/db_list
+              POSTGRES_EXTRA_OPTS: "-Z9 --schema=public --blobs"
+              BACKUP_KEEP_DAYS: "7"
+              BACKUP_KEEP_WEEKS: "4"
+              BACKUP_KEEP_MONTHS: "3"
+              HEALTHCHECK_PORT: "8080"
+            envFrom: *envFrom
+    service:
+      main:
+        enabled: false
+    persistence:
+      config:
+        enabled: true
+        type: emptyDir
+        globalMounts:
+          - path: /config
+      backups:
+        enabled: true
+        type: nfs
+        server: "${LOCAL_LAN_TRUENAS}"
+        path: /mnt/storage/backups/postgresql
+        globalMounts:
+          - path: /backups

kubernetes/apps/default/homelab/truenas/pgdump/kustomization.yaml

@@ -0,0 +1,8 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: default
+resources:
+  - ./externalsecret.yaml
+  - ./helmrelease.yaml

kubernetes/apps/default/immich/app/externalsecret.yaml

@@ -16,7 +16,7 @@ spec:
       data:
         # App
         DB_DATABASE_NAME: &dbName immich
-        DB_HOSTNAME: &dbHost postgres-rw.default.svc.cluster.local
+        DB_HOSTNAME: &dbHost postgres.${SECRET_DOMAIN}
         DB_USERNAME: &dbUser "{{ .POSTGRES_USER }}"
         DB_PASSWORD: &dbPass "{{ .POSTGRES_PASS }}"
         DB_PORT: "5432"
@@ -30,6 +30,6 @@ spec:
         INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
   dataFrom:
     - extract:
-        key: cloudnative-pg
+        key: generic
     - extract:
         key: immich

kubernetes/apps/default/immich/app/server/helmrelease.yaml

@@ -55,9 +55,8 @@ spec:
         initContainers:
           init-db:
             image:
-              repository: ghcr.io/auricom/postgres-init
+              repository: ghcr.io/onedr0p/postgres-init
-              tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0
+              tag: 16
-              pullPolicy: IfNotPresent
             envFrom: &envFrom
               - configMapRef:
                   name: *configMap

kubernetes/apps/default/immich/ks.yaml

@@ -7,7 +7,6 @@ metadata:
   namespace: flux-system
 spec:
   dependsOn:
-    - name: cluster-apps-cloudnative-pg-cluster
     - name: cluster-apps-external-secrets-stores
   path: ./kubernetes/apps/default/immich/app
   prune: true

kubernetes/apps/default/invidious/app/externalsecret.yaml

@@ -16,7 +16,7 @@ spec:
       data:
         # App
         INVIDIOUS_CONFIG: |
-          database_url: postgres://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASS }}@postgres-rw.default.svc.cluster.local.:5432/invidious
+          database_url: postgres://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASS }}@postgres.${SECRET_DOMAIN}.:5432/invidious
           check_tables: true
           port: 3000
           domain: invidious.${SECRET_CLUSTER_DOMAIN}
@@ -24,12 +24,12 @@ spec:
           hmac_key: {{ .HMAC_KEY }}
         # Postgres Init
         INIT_POSTGRES_DBNAME: invidious
-        INIT_POSTGRES_HOST: postgres-rw.default.svc.cluster.local
+        INIT_POSTGRES_HOST: postgres.${SECRET_DOMAIN}
         INIT_POSTGRES_USER: "{{ .POSTGRES_USER }}"
         INIT_POSTGRES_PASS: "{{ .POSTGRES_PASS }}"
         INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
   dataFrom:
     - extract:
-        key: cloudnative-pg
+        key: generic
     - extract:
         key: invidious

kubernetes/apps/default/invidious/app/helmrelease.yaml

@@ -35,9 +35,8 @@ spec:
         initContainers:
           init-db:
             image:
-              repository: ghcr.io/auricom/postgres-init
+              repository: ghcr.io/onedr0p/postgres-init
-              tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0
+              tag: 16
-              pullPolicy: IfNotPresent
             envFrom: &envFrom
               - secretRef:
                   name: invidious-secret

kubernetes/apps/default/invidious/ks.yaml

@@ -12,7 +12,6 @@ spec:
     kind: GitRepository
     name: home-ops-kubernetes
   dependsOn:
-    - name: cluster-apps-cloudnative-pg-cluster
     - name: cluster-apps-external-secrets-stores
   interval: 30m
   retryInterval: 1m

kubernetes/apps/default/joplin/app/externalsecret.yaml

@@ -16,7 +16,7 @@ spec:
       data:
         # App
         POSTGRES_DATABASE: &dbName joplin
-        POSTGRES_HOST: &dbHost postgres-rw.default.svc.cluster.local.
+        POSTGRES_HOST: &dbHost postgres.${SECRET_DOMAIN}.
         POSTGRES_PORT: "5432"
         POSTGRES_USER: &dbUser "{{ .POSTGRES_USER }}"
         POSTGRES_PASSWORD: &dbPass "{{ .POSTGRES_PASSWORD }}"
@@ -28,6 +28,6 @@ spec:
         INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
   dataFrom:
     - extract:
-        key: cloudnative-pg
+        key: generic
     - extract:
         key: joplin

kubernetes/apps/default/joplin/app/helmrelease.yaml

@@ -35,9 +35,8 @@ spec:
         initContainers:
           init-db:
             image:
-              repository: ghcr.io/auricom/postgres-init
+              repository: ghcr.io/onedr0p/postgres-init
-              tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0
+              tag: 16
-              pullPolicy: IfNotPresent
             envFrom: &envFrom
               - secretRef:
                   name: joplin-secret

kubernetes/apps/default/joplin/ks.yaml

@@ -12,7 +12,6 @@ spec:
     kind: GitRepository
     name: home-ops-kubernetes
   dependsOn:
-    - name: cluster-apps-cloudnative-pg-cluster
     - name: cluster-apps-external-secrets-stores
   interval: 30m
   retryInterval: 1m

kubernetes/apps/default/kresus/app/externalsecret.yaml

@@ -15,7 +15,7 @@ spec:
       engineVersion: v2
       data:
         # App
-        KRESUS_DB_HOST: &dbHost postgres-rw.default.svc.cluster.local
+        KRESUS_DB_HOST: &dbHost postgres.${SECRET_DOMAIN}
         KRESUS_DB_USERNAME: &dbUser "{{ .POSTGRES_USERNAME }}"
         KRESUS_DB_PASSWORD: &dbPass "{{ .POSTGRES_PASSWORD }}"
         KRESUS_DB_NAME: &dbName kresus
@@ -29,6 +29,6 @@ spec:
 
   dataFrom:
     - extract:
-        key: cloudnative-pg
+        key: generic
     - extract:
         key: kresus

kubernetes/apps/default/kresus/app/helmrelease.yaml

@@ -41,9 +41,8 @@ spec:
         initContainers:
           init-db:
             image:
-              repository: ghcr.io/auricom/postgres-init
+              repository: ghcr.io/onedr0p/postgres-init
-              tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0
+              tag: 16
-              pullPolicy: IfNotPresent
             envFrom: &envFrom
               - secretRef:
                   name: kresus-secret

kubernetes/apps/default/kresus/ks.yaml

@@ -12,7 +12,6 @@ spec:
     kind: GitRepository
     name: home-ops-kubernetes
   dependsOn:
-    - name: cluster-apps-cloudnative-pg-cluster
     - name: cluster-apps-external-secrets-stores
     - name: cluster-apps-volsync-app
   interval: 30m

kubernetes/apps/default/libmedium/ks.yaml

@@ -12,7 +12,6 @@ spec:
     kind: GitRepository
     name: home-ops-kubernetes
   dependsOn:
-    - name: cluster-apps-cloudnative-pg-cluster
     - name: cluster-apps-external-secrets-stores
   interval: 30m
   retryInterval: 1m

kubernetes/apps/default/linkding/app/externalsecret.yaml

@@ -18,7 +18,7 @@ spec:
         LD_DB_ENGINE: "postgres"
         LD_DB_USER: &dbUser "{{ .POSTGRES_USERNAME }}"
         LD_DB_PASSWORD: &dbPass "{{ .POSTGRES_PASSWORD }}"
-        LD_DB_HOST: &dbHost postgres-rw.default.svc.cluster.local
+        LD_DB_HOST: &dbHost postgres.${SECRET_DOMAIN}
         LD_DB_DATABASE: &dbName linkding
         LD_SUPERUSER_NAME: "{{ .username }}"
         LD_SUPERUSER_PASSWORD: "{{ .password }}"
@@ -30,6 +30,6 @@ spec:
         INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
   dataFrom:
     - extract:
-        key: cloudnative-pg
+        key: generic
     - extract:
         key: linkding

kubernetes/apps/default/linkding/app/helmrelease.yaml

@@ -35,9 +35,8 @@ spec:
         initContainers:
           init-db:
             image:
-              repository: ghcr.io/auricom/postgres-init
+              repository: ghcr.io/onedr0p/postgres-init
-              tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0
+              tag: 16
-              pullPolicy: IfNotPresent
             envFrom: &envFrom
               - secretRef:
                   name: linkding-secret

kubernetes/apps/default/linkding/ks.yaml

@@ -12,7 +12,6 @@ spec:
     kind: GitRepository
     name: home-ops-kubernetes
   dependsOn:
-    - name: cluster-apps-cloudnative-pg-cluster
     - name: cluster-apps-external-secrets-stores
   interval: 30m
   retryInterval: 1m

kubernetes/apps/default/lldap/app/externalsecret.yaml

@@ -20,10 +20,10 @@ spec:
         LLDAP_USER_DN: "{{ .username }}"
         LLDAP_LDAP_USER_EMAIL: "{{ .LLDAP_LDAP_USER_EMAIL }}"
         LLDAP_SERVER_KEY_SEED: "{{ .LLDAP_SERVER_KEY_SEED }}"
-        LLDAP_DATABASE_URL: "postgres://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASS }}@postgres-rw.default.svc.cluster.local/lldap"
+        LLDAP_DATABASE_URL: "postgres://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASS }}@postgres.${SECRET_DOMAIN}/lldap"
         # Postgres Init
         INIT_POSTGRES_DBNAME: lldap
-        INIT_POSTGRES_HOST: postgres-rw.default.svc.cluster.local
+        INIT_POSTGRES_HOST: postgres.${SECRET_DOMAIN}
         INIT_POSTGRES_USER: "{{ .POSTGRES_USER }}"
         INIT_POSTGRES_PASS: "{{ .POSTGRES_PASS }}"
         INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
@@ -31,4 +31,4 @@ spec:
     - extract:
         key: lldap
     - extract:
-        key: cloudnative-pg
+        key: generic

kubernetes/apps/default/lldap/ks.yaml

@@ -6,8 +6,6 @@ metadata:
   name: cluster-apps-lldap
   namespace: flux-system
 spec:
-  dependsOn:
-    - name: cluster-apps-cloudnative-pg-cluster
   path: ./kubernetes/apps/default/lldap/app
   prune: true
   sourceRef:

kubernetes/apps/default/lychee/app/externalsecret.yaml

@@ -15,7 +15,7 @@ spec:
       engineVersion: v2
       data:
         # App
-        DB_HOST: &dbHost postgres-rw.default.svc.cluster.local
+        DB_HOST: &dbHost postgres.${SECRET_DOMAIN}
         DB_PORT: "5432"
         DB_DATABASE: &dbName lychee
         DB_USERNAME: &dbUser "{{ .POSTGRES_USERNAME }}"
@@ -28,6 +28,6 @@ spec:
         INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
   dataFrom:
     - extract:
-        key: cloudnative-pg
+        key: generic
     - extract:
         key: lychee

kubernetes/apps/default/lychee/app/helmrelease.yaml

@@ -35,11 +35,10 @@ spec:
           reloader.stakater.com/auto: "true"
         type: statefulset
         initContainers:
-          01-init-db:
+          init-db:
             image:
-              repository: ghcr.io/auricom/postgres-init
+              repository: ghcr.io/onedr0p/postgres-init
-              tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0
+              tag: 16
-              pullPolicy: IfNotPresent
             envFrom: &envFrom
               - secretRef:
                   name: lychee-secret

kubernetes/apps/default/lychee/ks.yaml

@@ -12,7 +12,6 @@ spec:
     kind: GitRepository
     name: home-ops-kubernetes
   dependsOn:
-    - name: cluster-apps-cloudnative-pg-cluster
     - name: cluster-apps-external-secrets-stores
     - name: cluster-apps-lychee-redis
     - name: cluster-apps-rook-ceph-cluster

kubernetes/apps/default/outline/app/externalsecret.yaml

@@ -19,15 +19,16 @@ spec:
         AWS_SECRET_ACCESS_KEY: "{{ .OUTLINE_AWS_SECRET_ACCESS_KEY }}"
         SECRET_KEY: "{{ .OUTLINE_SECRET_KEY }}"
         UTILS_SECRET: "{{ .OUTLINE_UTILS_SECRET }}"
-        DATABASE_URL: postgresql://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASS }}@postgres-rw.default.svc.cluster.local:5432/outline
+        DATABASE_URL: postgresql://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASS }}@postgres.${SECRET_DOMAIN}:5432/outline
+        PGSSLMODE: require
         # Postgres Init
         INIT_POSTGRES_DBNAME: outline
-        INIT_POSTGRES_HOST: postgres-rw.default.svc.cluster.local
+        INIT_POSTGRES_HOST: postgres.${SECRET_DOMAIN}
         INIT_POSTGRES_USER: "{{ .POSTGRES_USER }}"
         INIT_POSTGRES_PASS: "{{ .POSTGRES_PASS }}"
         INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
   dataFrom:
     - extract:
-        key: cloudnative-pg
+        key: generic
     - extract:
         key: outline

kubernetes/apps/default/outline/app/helmrelease.yaml

@@ -31,30 +31,30 @@ spec:
   values:
     controllers:
       main:
-        type: statefulset
         annotations:
           reloader.stakater.com/auto: "true"
         initContainers:
-          init-db:
+          # init-db:
-            image:
+          #   image:
-              repository: ghcr.io/auricom/postgres-init
+          #     repository: ghcr.io/onedr0p/postgres-init
-              tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0
+          #     tag: 16
-              pullPolicy: IfNotPresent
+          #   envFrom: &envFrom
-            envFrom: &envFrom
+          #     - secretRef:
-              - secretRef:
+          #         name: outline-secret
-                  name: outline-secret
         containers:
           main:
             image:
               repository: docker.io/outlinewiki/outline
               tag: 0.74.0
-            envFrom: *envFrom
+            envFrom:
+              - secretRef:
+                  name: outline-secret
             env:
               AWS_REGION: us-east-1
               AWS_S3_ACL: private
               AWS_S3_FORCE_PATH_STYLE: "true"
               AWS_S3_UPLOAD_BUCKET_NAME: outline
-              AWS_S3_UPLOAD_BUCKET_URL: "http://minio.${SECRET_DOMAIN}:9000"
+              AWS_S3_UPLOAD_BUCKET_URL: "https://minio.${SECRET_DOMAIN}:9000"
               ENABLE_UPDATES: "false"
               FILE_STORAGE_UPLOAD_MAX_SIZE: "26214400"
               OIDC_AUTH_URI: "https://auth.${SECRET_CLUSTER_DOMAIN}/api/oidc/authorization"
@@ -65,7 +65,6 @@ spec:
               OIDC_TOKEN_URI: "https://auth.${SECRET_CLUSTER_DOMAIN}/api/oidc/token"
               OIDC_USERINFO_URI: "https://auth.${SECRET_CLUSTER_DOMAIN}/api/oidc/userinfo"
               OIDC_USERNAME_CLAIM: email
-              PGSSLMODE: disable
               PORT: 8080
               REDIS_URL: redis://outline-redis.default.svc.cluster.local.:6379
               SMTP_HOST: smtp-relay.default.svc.cluster.local.

kubernetes/apps/default/outline/ks.yaml

@@ -12,7 +12,6 @@ spec:
     kind: GitRepository
     name: home-ops-kubernetes
   dependsOn:
-    - name: cluster-apps-cloudnative-pg-cluster
     - name: cluster-apps-external-secrets-stores
     - name: cluster-apps-outline-redis
   interval: 30m

kubernetes/apps/default/paperless/app/externalsecret.yaml

@@ -20,7 +20,7 @@ spec:
         PAPERLESS_SECRET_KEY: "{{ .PAPERLESS_SECRET_KEY }}"
         PAPERLESS_DBUSER: &dbUser "{{ .POSTGRES_USER }}"
         PAPERLESS_DBPASS: &dbPass "{{ .POSTGRES_PASS }}"
-        PAPERLESS_DBHOST: &dbHost postgres-rw.default.svc.cluster.local
+        PAPERLESS_DBHOST: &dbHost postgres.${SECRET_DOMAIN}
         PAPERLESS_DBPORT: "5432"
 
         # Postgres Init
@@ -31,6 +31,6 @@ spec:
         INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
   dataFrom:
     - extract:
-        key: cloudnative-pg
+        key: generic
     - extract:
         key: paperless

kubernetes/apps/default/paperless/app/helmrelease.yaml

@@ -37,9 +37,8 @@ spec:
         initContainers:
           init-db:
             image:
-              repository: ghcr.io/auricom/postgres-init
+              repository: ghcr.io/onedr0p/postgres-init
-              tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0
+              tag: 16
-              pullPolicy: IfNotPresent
             envFrom: &envFrom
               - secretRef:
                   name: paperless-secret

kubernetes/apps/default/paperless/ks.yaml

@@ -12,7 +12,6 @@ spec:
     kind: GitRepository
     name: home-ops-kubernetes
   dependsOn:
-    - name: cluster-apps-cloudnative-pg-cluster
     - name: cluster-apps-external-secrets-stores
     - name: cluster-apps-paperless-redis
   interval: 30m

kubernetes/apps/default/prowlarr/app/externalsecret.yaml

@@ -15,7 +15,7 @@ spec:
       data:
         # App
         PROWLARR__API_KEY: "{{ .PROWLARR__API_KEY }}"
-        PROWLARR__POSTGRES_HOST: &dbHost postgres-rw.default.svc.cluster.local
+        PROWLARR__POSTGRES_HOST: &dbHost postgres.${SECRET_DOMAIN}
         PROWLARR__POSTGRES_PORT: "5432"
         PROWLARR__POSTGRES_USER: &dbUser "{{ .PROWLARR__POSTGRES_USER }}"
         PROWLARR__POSTGRES_PASSWORD: &dbPass "{{ .PROWLARR__POSTGRES_PASSWORD }}"

kubernetes/apps/default/prowlarr/app/helmrelease.yaml

@@ -34,9 +34,8 @@ spec:
         initContainers:
           init-db:
             image:
-              repository: ghcr.io/auricom/postgres-init
+              repository: ghcr.io/onedr0p/postgres-init
-              tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0
+              tag: 16
-              pullPolicy: IfNotPresent
             envFrom: &envFrom
               - secretRef:
                   name: prowlarr-secret

kubernetes/apps/default/pushover-notifier/app/externalsecret.yaml

@@ -16,7 +16,7 @@ spec:
       data:
         # App
         POSTGRES_DB: &dbName pushover-notifier
-        POSTGRES_HOST: &dbHost postgres-rw.default.svc.cluster.local
+        POSTGRES_HOST: &dbHost postgres.${SECRET_DOMAIN}
         POSTGRES_USER: &dbUser "{{ .POSTGRES_USER }}"
         POSTGRES_PASS: &dbPass "{{ .POSTGRES_PASS }}"
         PUSHOVER_API_TOKEN: "{{ .PUSHOVER_API_TOKEN }}"
@@ -29,7 +29,7 @@ spec:
         INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
   dataFrom:
     - extract:
-        key: cloudnative-pg
+        key: generic
     - extract:
         key: pushover-notifier
     - extract:

kubernetes/apps/default/pushover-notifier/app/github-releases/helmrelease.yaml

@@ -36,9 +36,8 @@ spec:
         initContainers:
           init-db:
             image:
-              repository: ghcr.io/auricom/postgres-init
+              repository: ghcr.io/onedr0p/postgres-init
-              tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0
+              tag: 16
-              pullPolicy: IfNotPresent
             envFrom: &envFrom
               - secretRef:
                   name: pushover-notifier-secret

kubernetes/apps/default/pushover-notifier/ks.yaml

@@ -7,7 +7,6 @@ metadata:
   namespace: flux-system
 spec:
   dependsOn:
-    - name: cluster-apps-cloudnative-pg-cluster
     - name: cluster-apps-external-secrets-stores
   path: ./kubernetes/apps/default/pushover-notifier/app
   prune: true

kubernetes/apps/default/radarr/app/externalsecret.yaml

@@ -15,7 +15,7 @@ spec:
       data:
         # App
         RADARR__API_KEY: "{{ .RADARR__API_KEY }}"
-        RADARR__POSTGRES_HOST: &dbHost postgres-rw.default.svc.cluster.local
+        RADARR__POSTGRES_HOST: &dbHost postgres.${SECRET_DOMAIN}
         RADARR__POSTGRES_PORT: "5432"
         RADARR__POSTGRES_USER: &dbUser "{{ .RADARR__POSTGRES_USER }}"
         RADARR__POSTGRES_PASSWORD: &dbPass "{{ .RADARR__POSTGRES_PASSWORD }}"
@@ -31,7 +31,7 @@ spec:
         INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
   dataFrom:
     - extract:
-        key: cloudnative-pg
+        key: generic
     - extract:
         key: pushover
     - extract:

kubernetes/apps/default/radarr/app/helmrelease.yaml

@@ -42,9 +42,8 @@ spec:
         initContainers:
           init-db:
             image:
-              repository: ghcr.io/auricom/postgres-init
+              repository: ghcr.io/onedr0p/postgres-init
-              tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0
+              tag: 16
-              pullPolicy: IfNotPresent
             envFrom: &envFrom
               - secretRef:
                   name: radarr-secret

kubernetes/apps/default/radarr/ks.yaml

@@ -7,7 +7,6 @@ metadata:
   namespace: flux-system
 spec:
   dependsOn:
-    - name: cluster-apps-cloudnative-pg-cluster
     - name: cluster-apps-external-secrets-stores
     - name: cluster-apps-rook-ceph-cluster
     - name: cluster-apps-volsync-app

kubernetes/apps/default/sharry/app/config/sharry.conf

@@ -14,7 +14,7 @@ sharry.restserver {
       fixed.enabled = false
     }
     jdbc {
-      url = "jdbc:postgresql://${POSTGRES_HOST}:${POSTGRES_PORT}/sharry"
+      url = "jdbc:postgresql://postgres.${SECRET_DOMAIN}:5432/sharry?ssl=true&sslmode=require"
       user = "${SECRET_SHARRY_DB_USERNAME}"
       password = "${SECRET_SHARRY_DB_PASSWORD}"
     }
@@ -33,7 +33,7 @@ sharry.restserver {
         minio =
           { enabled = true
             type = "s3"
-            endpoint = "http://minio.${SECRET_DOMAIN}:9000"
+            endpoint = "https://minio.${SECRET_DOMAIN}:9000"
             access-key = "${SECRET_SHARRY_MINIO_S3_ACCESS_KEY}"
             secret-key = "${SECRET_SHARRY_MINIO_S3_SECRET_KEY}"
             bucket = "sharry"

kubernetes/apps/default/sharry/app/externalsecret.yaml

@@ -16,12 +16,12 @@ spec:
       data:
         # Postgres Init
         INIT_POSTGRES_DBNAME: sharry
-        INIT_POSTGRES_HOST: postgres-rw.default.svc.cluster.local
+        INIT_POSTGRES_HOST: postgres.${SECRET_DOMAIN}
-        INIT_POSTGRES_USER: "{{ .POSTGRES_USERNAME }}"
+        INIT_POSTGRES_USER: "{{ .POSTGRES_USER }}"
-        INIT_POSTGRES_PASS: "{{ .POSTGRES_PASSWORD }}"
+        INIT_POSTGRES_PASS: "{{ .POSTGRES_PASS }}"
         INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
   dataFrom:
     - extract:
-        key: cloudnative-pg
+        key: generic
     - extract:
         key: sharry

kubernetes/apps/default/sharry/app/helmrelease.yaml

@@ -34,9 +34,8 @@ spec:
         initContainers:
           init-db:
             image:
-              repository: ghcr.io/auricom/postgres-init
+              repository: ghcr.io/onedr0p/postgres-init
-              tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0
+              tag: 16
-              pullPolicy: IfNotPresent
             envFrom: &envFrom
               - secretRef:
                   name: sharry-secret

kubernetes/apps/default/sharry/ks.yaml

@@ -11,8 +11,6 @@ spec:
   sourceRef:
     kind: GitRepository
     name: home-ops-kubernetes
-  dependsOn:
-    - name: cluster-apps-cloudnative-pg-cluster
   interval: 30m
   retryInterval: 1m
   timeout: 3m

kubernetes/apps/default/sonarr/app/externalsecret.yaml

@@ -15,7 +15,7 @@ spec:
       data:
         # App
         SONARR__API_KEY: "{{ .SONARR__API_KEY }}"
-        SONARR__POSTGRES_HOST: &dbHost postgres-rw.default.svc.cluster.local
+        SONARR__POSTGRES_HOST: &dbHost postgres.${SECRET_DOMAIN}
         SONARR__POSTGRES_PORT: "5432"
         SONARR__POSTGRES_USER: &dbUser "{{ .SONARR__POSTGRES_USER }}"
         SONARR__POSTGRES_PASSWORD: &dbPass "{{ .SONARR__POSTGRES_PASSWORD }}"
@@ -31,7 +31,7 @@ spec:
         INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
   dataFrom:
     - extract:
-        key: cloudnative-pg
+        key: generic
     - extract:
         key: pushover
     - extract:

kubernetes/apps/default/sonarr/app/helmrelease.yaml

@@ -41,9 +41,8 @@ spec:
         initContainers:
           init-db:
             image:
-              repository: ghcr.io/auricom/postgres-init
+              repository: ghcr.io/onedr0p/postgres-init
-              tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0
+              tag: 16
-              pullPolicy: IfNotPresent
             envFrom: &envFrom
               - secretRef:
                   name: sonarr-secret

kubernetes/apps/default/tandoor/app/externalsecret.yaml

@@ -16,7 +16,7 @@ spec:
         # App
         DB_ENGINE: django.db.backends.postgresql_psycopg2
         SECRET_KEY: "{{ .TANDOOR_SECRET_KEY }}"
-        POSTGRES_HOST: &dbHost postgres-rw.default.svc.cluster.local
+        POSTGRES_HOST: &dbHost postgres.${SECRET_DOMAIN}
         POSTGRES_PORT: "5432"
         POSTGRES_DB: &dbName tandoor
         POSTGRES_USER: &dbUser "{{ .TANDOOR_POSTGRES_USER }}"
@@ -29,6 +29,6 @@ spec:
         INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
   dataFrom:
     - extract:
-        key: cloudnative-pg
+        key: generic
     - extract:
         key: tandoor

kubernetes/apps/default/tandoor/app/helmrelease.yaml

@@ -38,15 +38,16 @@ spec:
         annotations:
           reloader.stakater.com/auto: "true"
         initContainers:
-          01-init-db:
+          init-db:
+            order: 1
             image:
-              repository: ghcr.io/auricom/postgres-init
+              repository: ghcr.io/onedr0p/postgres-init
-              tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0
+              tag: 16
-              pullPolicy: IfNotPresent
             envFrom: &envFrom
               - secretRef:
                   name: tandoor-secret
-          02-init-migrate:
+          migrations:
+            order: 2
             image:
               repository: vabene1111/recipes
               tag: 1.5.10

kubernetes/apps/default/tandoor/ks.yaml

@@ -12,7 +12,6 @@ spec:
     kind: GitRepository
     name: home-ops-kubernetes
   dependsOn:
-    - name: cluster-apps-cloudnative-pg-cluster
     - name: cluster-apps-external-secrets-stores
     - name: cluster-apps-rook-ceph-cluster
     - name: cluster-apps-volsync-app

kubernetes/apps/default/vaultwarden/app/externalsecret.yaml

@@ -15,16 +15,16 @@ spec:
       engineVersion: v2
       data:
         # App
-        DATABASE_URL: postgresql://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASS }}@postgres-rw.default.svc.cluster.local.:5432/vaultwarden
+        DATABASE_URL: postgresql://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASS }}@postgres.${SECRET_DOMAIN}.:5432/vaultwarden
         ADMIN_TOKEN: "{{ .VAULTWARDEN_ADMIN_TOKEN }}"
         # Postgres Init
         INIT_POSTGRES_DBNAME: vaultwarden
-        INIT_POSTGRES_HOST: postgres-rw.default.svc.cluster.local
+        INIT_POSTGRES_HOST: postgres.${SECRET_DOMAIN}
         INIT_POSTGRES_USER: "{{ .POSTGRES_USER }}"
         INIT_POSTGRES_PASS: "{{ .POSTGRES_PASS }}"
         INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
   dataFrom:
     - extract:
-        key: cloudnative-pg
+        key: generic
     - extract:
         key: vaultwarden

kubernetes/apps/default/vaultwarden/app/helmrelease.yaml

@@ -35,9 +35,8 @@ spec:
         initContainers:
           init-db:
             image:
-              repository: ghcr.io/auricom/postgres-init
+              repository: ghcr.io/onedr0p/postgres-init
-              tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0
+              tag: 16
-              pullPolicy: IfNotPresent
             envFrom: &envFrom
               - secretRef:
                   name: vaultwarden-secret
@@ -68,14 +67,14 @@ spec:
                 memory: 100Mi
               limits:
                 memory: 2Gi
-        statefulset:
+        # statefulset:
-          volumeClaimTemplates:
+        #   volumeClaimTemplates:
-            - name: config
+        #     - name: config
-              accessMode: ReadWriteOnce
+        #       accessMode: ReadWriteOnce
-              size: 10Gi
+        #       size: 10Gi
-              storageClass: rook-ceph-block
+        #       storageClass: rook-ceph-block
-              globalMounts:
+        #       globalMounts:
-                - path: /data
+        #         - path: /data
     service:
       main:
         ports:

kubernetes/apps/default/vaultwarden/ks.yaml

@@ -12,7 +12,6 @@ spec:
     kind: GitRepository
     name: home-ops-kubernetes
   dependsOn:
-    - name: cluster-apps-cloudnative-pg-cluster
     - name: cluster-apps-external-secrets-stores
     - name: cluster-apps-rook-ceph-cluster
     - name: cluster-apps-volsync-app